Cookie Security

[Previous] [Next]

Cookies are small amounts of information written to your computer about you and your visits to Web pages. When your browser makes a request to a Web site, the browser checks its cookie file for any cookies matching the Web site. If a cookie is found, it is sent automatically by the browser as part of the HTTP headers to the Web server. Cookies are mainly used for custom pages, shopping carts, targeted advertising, and session maintenance.

Let's look at each in turn.

Custom Pages

Many news-oriented Web sites or Web portals allow you to maintain your favorite settings—for example, local news, space news, sports, business, and so on. This information is sent to the browser as a cookie that is sent back to the server the next time you visit it. The server then deciphers the cookie and displays the information you want.

Shopping Carts

If you visit a site that features a "shopping cart" of items you want to purchase, a cookie can keep track of what you put in the cart. If you need to leave and come back later, the cookie makes sure your shopping cart is as you left it.

Targeted Advertising

A little like tracking, cookies are maintained by an advertising company to determine which sites you visit and possibly what options you elect to use on each Web site.

Session Maintenance

Active Server Pages (ASP), the server scripting technology in Internet Information Services, uses cookies to maintain session information during the lifetime of a user's connection. This is necessary because HTTP is a stateless protocol. In other words, as far as the Web server is concerned, each connection is a new connection and the server retains no knowledge of previous requests.

ASP exposes a COM+ object called the Session object to ASP developers to maintain information about the user while the user is connected. For example, it's possible to easily create a shopping cart by using the Session object.

NOTE
You can disable ASP's use of sessions, and therefore not require the use of cookies, by setting the following in your ASP pages:

<%@ EnableSessionState = False %>

Now that we've looked at the common cookie, let's look at how cookies can cause privacy and security issues.

One concern is that cookies are often written to the disk drive, and therefore a malicious Web site might be able to read sensitive information—such as passwords and credit card numbers—from the cookies stored on your machine by inserting client JavaScript code into the Web pages that read the cookie information.

There have been vulnerabilities in the past with cookie implementations leading to illicit access to cookie information. At the time of writing, however, there were no known issues with either Netscape Navigator or Internet Explorer.

Cookies—A Reality Check

It's rare that cookies contain sensitive data such as passwords and credit card information, but it's not impossible. Still, it's unlikely that an attacker accessing your cookies will gain anything of interest other than some of your surfing habits or preferences. Often, the cookie data is merely a pointer into a database held at the Web server—that kind of cookie data is useless to an attacker.

A cookie is merely a piece of text; it is not a program and cannot be used to harness a virus.

Because much Web site technology, including IIS, uses cookies to maintain session information, another cookie security concern is the possibility that a malicious user could sniff the connection between the Web server and the browser, take a note of the cookie being used, and then replay the cookie to access the Web server. In doing so, the attacker might get access to the legitimate client's data.

You can mitigate this risk either by prompting users to reauthenticate themselves at sensitive points in the data transfer or by switching to an SSL/TLS session to protect the data and the cookie.

Session State in Internet Information Services 5

Session state—such as what page the user is viewing, information entered or requested by the user, and the number of times a user has visited a particular Web page—in IIS 5 is maintained by using cookies that have a name such as ASPSESSIONIDxxxx=yyyy, where xxxx is a set of letters that represents the IIS process handling the client request and yyyy is a random value used to identify the user session.

Viewing and Deleting Cookies

You can view cookies in Windows 2000 by performing the following steps:

  1. Open Windows Explorer.
  2. Navigate to the Documents And Settings folder.
  3. Open the folder with your name on it. You might be denied access to other directories.
  4. Open the Cookies folder.

In the Cookies folder, you'll see multiple text files, each of which is a cookie for a Web site you visited. The format of each file is yourname@website.txt, where yourname is your Windows 2000 account name and website is the name of the Web site the cookie came from. Because the security for this folder is controlled by access control lists (ACLs) if you're running NTFS, no one can access your cookies other than you and the computer's administrator. You can safely delete any of these files.

NOTE
Because cookies are stored on a per-user basis on the current machine and the security for the folder in which the cookies are stored is controlled by ACLs, cookies cannot be used if you move to another machine or log on as a different user.

Preventing Cookies and Prompting Before Cookies Are Downloaded

You can configure Internet Explorer to reject cookies, to prompt the user for a response regarding cookies, or to accept cookies based on the security zone the browser is using. For example, the Local Intranet zone enables cookies, but the Restricted Sites zone does not enable cookies whatsoever. You can configure the cookie settings when you define security zones for your browser.

A great resource for cookie information is the Cookie Central Web site at http://www.cookiecentral.com.

Now that we've covered some of the basics of browser security, let's turn our attention to the other end of the connection, the Web server and Internet Information Services.



Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net